NJ and SF fare cards hacked for free rides

[CHamilton]

http://www.itworld.com/security/296527/android-nfc-hack-enables-travelers-ride-us-subways-free-researchers-say

Android NFC hack enables travelers to ride US subways for free, researchers say

September 20, 2012, 12:29 PM — Contactless fare cards in the New Jersey and San Francisco transit systems can be manipulated using an Android application, enabling travelers to reset their card balance and travel for free, researchers demonstrated on Thursday during the EUSecWest security conference in Amsterdam.An NFC (near field communication) Android smartphone can read the data from a fare card with, for instance 10 rides on it, using the "UltraReset" application, said Corey Benninger and Max Sobell, security researchers at the Intrepidus Group and the application's developers. When travelers have used up their balance they are able to write the stored data back to the card using the same app, resetting the balance to 10 rides, the researchers said....The application takes advantage of a flaw found in particular NFC-based cards, the researchers said, adding that these cards are used in the San Francisco Muni and the New Jersey Path transit systems

 

[Bob Dylan]

http://www.itworld.com/security/296527/android-nfc-hack-enables-travelers-ride-us-subways-free-researchers-say

Android NFC hack enables travelers to ride US subways for free, researchers say

September 20, 2012, 12:29 PM — Contactless fare cards in the New Jersey and San Francisco transit systems can be manipulated using an Android application, enabling travelers to reset their card balance and travel for free, researchers demonstrated on Thursday during the EUSecWest security conference in Amsterdam.An NFC (near field communication) Android smartphone can read the data from a fare card with, for instance 10 rides on it, using the "UltraReset" application, said Corey Benninger and Max Sobell, security researchers at the Intrepidus Group and the application's developers. When travelers have used up their balance they are able to write the stored data back to the card using the same app, resetting the balance to 10 rides, the researchers said....The application takes advantage of a flaw found in particular NFC-based cards, the researchers said, adding that these cards are used in the San Francisco Muni and the New Jersey Path transit systems

Wonder if Dick, Stephen and jis are riding for Free today? :lol: (And would this work during the Gathering?? Just kidding Folks!) <_<

 

[jis]

Jis is in Delhi, India today. So he is not riding anything in NJ paid or otherwise today

 

[AlanB]

(And would this work during the Gathering?? Just kidding Folks!) <_<

Nope, it wouldn't help us even if we were tempted to try it. The only place it works in NJ is a line that we won't be near at any time during the gathering.

 

[Anderson]

Yeah...this only works on the sort-of-subway line from Newark/Hoboken into Manhattan if I read it correctly.

 

[Blackwolf]

It sounds like this is a much larger issue for the West Coast then. The "Clipper" cards have been pushed so heavily in the last few years that they are not just found on MUNI. You can use Clipper for BART, CalTrain, VTA (Santa Clara County,) AC-Transit (Alameda County,) County Connection (Contra Costa County,) and there has been scuttlebutt on them being somehow integrated for the Capitol Corridor in the future through fare machines that would print a ticket using a Clipper card as a means for payment. As a result, there are hundreds of thousands of Clipper cards in use every single day in the Bay Area. A major issue, especially in this funding-sensitive era for transit.

 

[CHamilton]

Clipper uses the same technology as the ORCA cards here in the Seattle region. (I didn't check to see what would happen if I tapped my ORCA card on one of Clipper's card readers...have to try that sometime.) ORCA is accepted by several county bus systems; Sound Transit light rail, commuter trains and buses; and on Washington State Ferries.